Здравствуйте, уважаемые!

Имею ГУ Columbus для а/м Skoda Octavia A7.
Хочу подключиться к аппарату посредством терминала. Идея навеяна вот этим руководством http://ru.scribd.com/doc/225614389/How-to-recover-a-bricked-Audi-MMI-3G-or-3G-Plus#scribd

Но таких коннекторов, подобных указанному в этом мануале, на материнской плате моего аппарата два. Непонятно, где и как искать TX, RX.
Кто что может подсказать, буду признателен за помощь.


ниже перевод на английский

here translated into English

Hello, dear!

I have the Columbus (mib 1) for Skoda Octavia A7.

I want to connect to the device through the terminal. The idea here is inspired by this guide http://ru.scribd.com/doc/225614389/How-to-recover-a-bricked-Audi-MMI-3G-or-3G-Plus#scribd

However, such connectors on the motherboard of my device - two, as opposed to one, as in this manual. It is not clear where and how to look for TX, RX.

Anybody can help, I will be grateful for your help.

Hey my friend! The MIB you unit of The have, is a the complete the Hardware Different as with the MMI3G in the bricked the discription.
You CAN use nothing from the this thread for the you have the MIB. Of The the Serial the Port is reacheable from the Quadlock connector on the REAR! You don'nt have a need to open the unit! ;-)

By the way: The port is locked by a root password!

You CAN use nothing from the this thread for the you have the MIB

My unit have the same operating system (QNX) and the same file structure system (at least very similar).
May be something from this thread helps, i hope.

By the way: The port is locked by a root password!

Tschako,

Thanks.

What we have now. Yes, the system asks a root password. Somebody knows it? Is it any way to determine it, may be extract "shadow" file/hash ?

The second thing, we can enter to the IPL mode. In this mode, we can some set of commands.

eraseit & flashit are that supported (info from "help command")

There is a question. What possible to do with all this ? Is it possible to download the current firmware?

If not, how to modify it (some parts? )

Use wlan connect
I`m PM you

Tschako (http://turbo-quattro.com/member.php?7529-Tschako) I like your avatar.

audijiJQ (http://turbo-quattro.com/member.php?8124-audijiJQ)

Thanks, but my device does not have wlan (wi-fi), only bluetooth.

audijiJQ (http://turbo-quattro.com/member.php?8124-audijiJQ)

Thanks, but my device does not have wlan (wi-fi), only bluetooth.

OK，now,find this MMX-ROOT password is problem

Someone is selling change passwd tool

What address for boot ifs-emergency?

For flashing ifs-emergence is - 0x00020000, but when I trying to boot 20000 - I've got an error

=> boot 20000
missing/invalid argument/option

The Harman developers do a fine job to secure the MIB. All access and flashing activities in the actual MIB release firmware versíons were secured by special procedures and certificates means signatures and hashes. Not the old and simple usage of checksums. The developer password for root are not known in the community right now, as far I know...

The main SW system is build on QNX, thats true. But they use two corresponding envirements named "MMX" and "RCC" for different job level in the unit.

It´s not possible to direct boot from the IPL to the EMG Image like the MMI platform. You have to path via the transaction image as an example...

I don't want to use custom firmware, i want to restore my efs-persist from original firmware :(

do you have access to the green engineering menu?

Yes you are right.The developers have done a good job security MIB-1.

But, nevertheless, MIB1, and even MIB2 has been hacked.
Firmware of my device is 0202, this firmware is buggy and now she has a problem - the constant rebooting.
The device inoperable.
How can reflash it to the latest firmware?
I don't have access to green menu...currently, my device is a brick 99%.

"use the Script on the unit,then ,it`s change admin root password ,after reboot system ,now ,you can use a new password login RCC and MMX "
Russian friend is selling this tool ,or A MIB Programme $9500，but I don't believe the price

It´s not possible to direct boot from the IPL to the EMG Image like the MMI platform. You have to path via the transaction image as an example...

After command "boot" it loading an emergency IFS. But some errors occur during the loading process. If you know a solution how to fix it - explain,
please.




Also, in the IPL mode, I have constant rebooting occur - do not understand why, how to fix it?

The reboot is part of the build in trouble shooting routine. The mmx ramdisk image in the flash is missing and the internal routine tries to fix the problem with rebooting...

Try to initiate an Emergency FW update with the command "dd if=/dev/zero of=/dev/fs0 seek=59 bs=131072 count=1 > /dev/null 2>&1"
if possible. Make sure to have a valid FW Version in the SD slot.

Last chance could be to erase the transaction image with command "flashit -a 540000 -e 1000".
Following this, the emergency app should try to start the emg app with an emg update from SD.
Make sure to have a valid FW Version in the SD slot too.

Tschako (http://turbo-quattro.com/member.php?7529-Tschako)

"mmx ramdisk is missing" - this is the operation system bug/error?

It is happened a few days ago, I turned on the trace in the engineering menu.

At first everything was fine, but then the device was continuously reboot.
Now it is impossible to turn off tracing, and my device became a brick.

(Perhaps it's just a coincidence, and to blame the 0202 firmware ...I do not know much about the address.

They are correct for my device? In what format should I write the firmware to SD-card? I have the firmware file in * .zip from the Discovery (0200 version) and the firmware file from Columbus (native), 0390 version.

Thanks for your help.

Bad idea to activate the trace function w/o any need... sorry to say! The problem would be, that the trace writes and writes and fullfill the flash ramdisk til it crashes.

I´m sorry, but for the Columbus FW versions I don´t have any information.
For the Audi MIB the version 0337 is quite old and 1531 is the actual one...

You have to use the exactly the same region and variant of the FW on a FAT32 formatted SD Card for an emergency update.
Wrong variant or region doesn´t work.

You have to use the exactly the same region and variant of the FW on a FAT32 formatted SD Card for an emergency update.
Wrong variant or region doesn´t work.

I have EU version, so everything ok with this.


Bad idea to activate the trace function w/o any need... sorry to say! The problem would be, that the trace writes and writes and fullfill the flash ramdisk til it crashes.


Yes...
It was my fault. Now I can not turn off this trace, after deactivation option, reboot the device - option is active again.
It is necessary to disable this option, but it is unknown how.


There is any way to clean/restore the virtual ramdisk?
Complete firmware changing will lead to the activation the component protection, also navigation will not work. Not a best way.

"Complete firmware changing will lead to the activation the component protection, also navigation will not work."

The CP signature is not part of the Firmware or software. The CP Signature is part of the specific EEProm of the Unit.
Means, if you do a emergency recovery, normally the CP signature was protected and there was no changes in it. I´m not shure for the Map autorization?!

"Complete firmware changing will lead to the activation the component protection, also navigation will not work."

The CP signature is not part of the Firmware or software. The CP Signature is part of the specific EEProm of the Unit.
Means, if you do a emergency recovery, normally the CP signature was protected and there was no changes in it. I´m not shure for the Map autorization?!


He meaning that he has patched unit from APG :) Without blocking sound even if CP is on.

...

OK, thats possible. But for my information, the APG MIB Jail-Break has a sub-PCB for emulating like a VIN Faker, isn´t it??

Unfortunately I don't know. I was used their units. Units was with CP error, but sound was not muted, also unit had Golf VIN on all of them, I think APG - is software solution with custom GEM (with disable/enable diagnostic option)

I have a question. I completely flashed all known partiotions in MIB from Emerg mode, but how I can flash app.img on MIB? Does some specific address, you know? btw. I took Adresses from metainfo2.txt from original firmware but there are no address for app.img
Thanks..

Unfortunately I don't know. I was used their units. Units was with CP error, but sound was not muted, also unit had Golf VIN on all of them, I think APG - is software solution with custom GEM (with disable/enable diagnostic option)

I have a question. I completely flashed all known partiotions in MIB from Emerg mode, but how I can flash app.img on MIB? Does some specific address, you know? btw. I took Adresses from metainfo2.txt from original firmware but there are no address for app.img
Thanks..


This`s my question too，all /MMX/*.img files

Some body have that firmware:
MHI2_ER_SKG11_P0260
MHI2_ER_SKG11_P2104
MHI2_ER_SKG11_P2129
for mib 2 Columbus?

Why do U need those old version?

Why do U need those old version?
For updating, my unit have MHI2_ER_SKG11_P0260 (v.200), now update possible only to MHI2_ER_SKG11_P2104 / MHI2_ER_SKG11_P2129, on newer versions unit says "Train is locked".
Now i have hash for P0260 (v.200).

Sent me your eeprom.

I solved this question.

Sent me your eeprom.

I second the above request, I need some of these softwares:
MHI2_ER_SKG11_P0260
MHI2_ER_SKG11_P2104
MHI2_ER_SKG11_P2129

I have a very old MIB2 Skoda Columbus with sw 0200 and I can't update because train is blocked. I can't modify the eeprom because I don't have the root pass for sw 0200.

Anybody can share the above softwares or a root pass for 0200?

Password for energency not harman_f?

For emergency the pass is still harman_f, but I need the MMX pass as in RCC I cannot use modifyE2P because of missing DSI.

Unfortunately I don't know. I was used their units. Units was with CP error, but sound was not muted, also unit had Golf VIN on all of them, I think APG - is software solution with custom GEM (with disable/enable diagnostic option)

I have a question. I completely flashed all known partiotions in MIB from Emerg mode, but how I can flash app.img on MIB? Does some specific address, you know? btw. I took Adresses from metainfo2.txt from original firmware but there are no address for app.img
Thanks..

This`s my question too，all /MMX/*.img files

This is a old post but I have the same question for the MIB/MIB2 units: How to flash/replace app.img?

This is a old post but I have the same question for the MIB/MIB2 units: How to flash/replace app.img?

Open app.img file and paste partiontable header from 0x0 to 0x7fff. Then put it to mnand0.

dd if=..../path_to_sd/app(with header).img of=/dev/mnand0


or

dd if=..../path_to_sd/app.img skip 64 of=/dev/mnand0

Open app.img file and paste partiontable header from 0x0 to 0x7fff. Then put it to mnand0.

dd if=..../path_to_sd/app(with header).img of=/dev/mnand0


or

dd if=..../path_to_sd/app.img skip 64 of=/dev/mnand0
Thanks for your help, I am learning a lot with you, I try to undestand the structure and do not brick more my MMX.
I dumped mnand0 to sda0 with cat ... > file.img and most content from 0x0 to 0x7FFF is F3DEBC9A (attached img): Is it the expected header to paste into app.img?

69504

...or

dd if=..../path_to_sd/app.img skip 64 of=/dev/mnand0

update: I think this command should be dd if=..../path_to_sd/app.img seek=64 of=/dev/mnand0